Almost anything you do or interact online involves some form of data, and this data tells a story about who you are and where you have been, what food you have been ordering and your favourite shopping brand. From web browsing to smartphones, you and everyone you know is tracked, logged, and the data is shared among a variety of third party services.
Remember when you were looking for something on internet and you started seeing ads for similar products on all the social media platform 🔍.
Ever wondered how is that done?
This is done through the “cookies”, not the one you eat 😆 that your browser collects and this in turn is used for re-marketing campaigns.
What is cookie?
Cookies are small bits of data stored on a browser. Websites use this data to track users and enable/disable user-specific features.
A cookie is saved in name–value pairs.Other information that will be saved are domain info, expiration date, path and if cookie is marked as secure,In some browsers, each cookie is a small file but in Firefox, all cookies are stored in a single file.
A simple example here is user consent stored with value yes for domain google.com with the expiry date.
Let’s see the amount of data Google is storing……
Read types of cookies used by Google. https://policies.google.com/technologies/types?hl=en
Real-world application of cookies
- To know whether visitors to the website had been there previously.
- To identify whether a user is logged in or not.
- To pick up your location to show nearest restaurants.
- To show city specific products to users.
- Tracking user’s activities for analytics purpose.
- Optimise the website for your second visit.
Do you see security concerns here?
You must have heard of Cross-Site Scripting. This kind of attack can let an attacker to inject scripts into the browsers of other users. Because the injected code comes to the browser from the site, the code is trusted and can do things like send the user’s site authorisation cookie to the attacker. With this information they can log into a site carrying your identity and do things like accessing your credit card details, see contact details, or change passwords.
Secondly Invasion of privacy is a bigger concern. If you’re going to use the web and allow your browser to accept cookies, you are being tracked, and now you know it.
What to do to prevent an attack?
- Keep your browser up to date so that you can prevent attackers to take advantage of security holes in outdated browsers.
- If you are warned by your browser or have slight doubt that a site is potentially malicious, don’t proceed to the site.
- Do not block all cookies, it can make it difficult for site like Amazon, Bigbasket, Flipkart and Swiggy to show you personalised.
- Block third-party cookies. If you don’t want to allow third-party cookies.
- Do not store sensitive data in cookies.
- Make use of encryption techniques and encrypt the value if required.
- Set the expiration date for your cookies.
- Make sure to mark the cookie ‘secure’ so that it can only be transmitted over https.
- Set the domain/sub-domain for the cookie so that it is restricted and reduces that attack surface.
Cookies are an integral part of the modern web and we can’t just stop making use of them but we can try not to be heavily dependent on them.
Proper web application security helps detect security issues as well as, defend the application from any external vulnerabilities. The more you expose yourself to it, the better off you will be.
Thank you for reading this article. If you have enjoyed it, feel free to like and help others to find it. Feel free to reach out to me 🙌